[tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 19 09:40:31 UTC 2017
#23574: Don't allow text injection in our 404 page
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tpa
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution: invalid
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by hiro):
I think the importat point is that no code can be executed.
You can test by passing javascript to the url and it doesn't do anything.
Although, if we really care we can have the message in the 404 page just
to say "The URL you typed was not found" or something along those lines,
without having to repeat the URL.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23574#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list